Wireless expert Jim Cook, quoted in the article, will be presenting at the HTCIA International Training Conference & Expo in September. To promote his lecture via their blog*, I interviewed him for more information.

We ended up in a long discussion that wouldn’t fit there, but that I thought would fit quite well here, about things first responders and investigators both need to know about cell phone evidence — but rarely do.

Why cell data mapping?

Cook says in some cases, the cell phone can be one of the primary pieces of evidence. It usually contains content and metadata (information about content, such as a date/time stamp or geotag on an image or video).

In other cases, the data on the phone may be deleted. While cell phone forensics can recover this kind of data, it may not recover everything (depending on the tool used and the examiner’s skill level). Even if it does, carrier data can be an important corroboration of what the phone tells the investigator.

“Sometimes you don’t have the weapon, or witnesses, but you do have potential suspects,” Cook explains. “The victim’s or suspects’ cell phones and carrier data together can contain critical evidence including a suspect’s movements, possible witnesses or even more suspects.”

Otherwise, with no clues, investigators may want to consider requesting a “tower dump.” The tower dump is a request which the investigator makes of the carrier to provide all call, text, and data transmissions that connect to the cell sites covering the crime’s geographic area for a specified time period.

Cell carriers are encouraged to “co-locate,” or lease space on the tower(s) they own, to other carriers wishing coverage in an area that they don’t currently cover. That means that a single tower can contain records for multiple carriers’ customers — which can run into the hundreds or even thousands, depending on the time period and the location.

“A tower dump is a ‘needle in a haystack’ piece of evidence,” Cook says, “but it can be especially useful with serial crimes such as home invasions, robberies or sexual assaults, because tower dumps for each crime location can be cross-referenced for numbers that come up in all locations.” In a case he assisted with, this type of evidence was backed up with search warrants to specific carriers, which led to the arrests of 11 suspects.

But so much evidence can be overwhelming in its raw format. Once the tower dump leads to a specific suspect via a specific carrier, as in the case example above, those call detail records can be mapped as a way to help non-technical people visualize a suspect’s or victim’s movements.

Visualizing a cell sector as a "piece of pie."

“You first explain to the jury how the phone actually works,” says Cook. “You explain antennas, sectors [he uses the analogy of a piece of pie] and so on — then the call process, and how the carrier captures the data.

“Then you show them the map and how you plotted the data, and ultimately, what it means to the case — how it solidifies or even potentially refutes other evidence, including eyewitness accounts, video or social networking updates.” He estimates the conviction rate on cases he has assisted with is 96-97 percent. “Cellular phones are really the new DNA,” he adds, paraphrasing Santa Clara County Deputy DA Vicki Gemetti.

So how do investigators do the mapping?

1. Book cell phones as evidence; don’t mark them as personal property.

“Personal property, if picked up by the suspect or a designee, can be wiped of any and all content,” says Cook. “Booking the phone as evidence allows you to write a search warrant to examine the phone, and also obtain call detail records, text and data transmissions from the carrier for the time period in question, which should be done ASAP because it’s volatile. Not every carrier holds it for a year — some expunge call records after just 90 days.”

Currently, MetroPCS is the only carrier that maintains text message content for up to 60 days. Other carriers such as AT&T and Sprint don’t maintain content at all, while some (like Verizon) maintain it for very short periods of time — six to eight days.

Call detail records can substantiate witness, suspect, or victim testimony, and can even solve a case. At that level, waiting too long can be fatal to a case.

2. Be sure to get data from the phone, too.

Don’t overrely on the carrier, even if you haven’t waited too long. “There is always more evidence,” says Cook. “Take the extra step or two you need to find what you can find from the device.

“Don’t think you can’t get data if the phone’s battery isn’t charged, or if you don’t have cell phone forensic tools. I’ve bought chargers for police from wireless retailers,” he adds. “And if you don’t have a forensic tool, or the tool you have doesn’t work on that phone, or you have only one tool, find an agency that has a tool that will work or a different tool from the one you use. There is always more data; to recover the maximum amount of data from the device, use more than one tool.”

3. Write warrants for carrier data from at least the past three months.

Cook raised this point in the LET article, what he calls “the Jim Cook Rule #1”: go far beyond the immediate period of time you’re interested in.

“We’re all creatures of habit,” he says. “We’re up in the morning, on the road by a certain time, driving through Starbucks and calling mom or dad on our way to work. We have similar routines on the way home and on the weekends.

“But then, we take our phone to New York, and there’s this big gap of no activity when normally, we’re talking to people. Only an extended sample of call detail records can show whether this is out of the ordinary, or part of a subject’s monthly routine.”

4. In your warrant, use the right verbiage.

Also discussed in the article — a sidebar goes into the specific eight items that Cook recommends — is the need to get the right amount of detail in the search warrant. “Carriers need exact requirements for certain information,” says Cook, “like cell sites and sectors, along with the phone data. If they don’t provide it up front, investigators will end up having to write multiple warrants.” That can waste precious time, and lose data along the way.

5. Make sure you’re getting the right data from the carrier.

If the defense attorney is doing his or her job, you may need to prove that the phone really belonged to the suspect at the time of the incident. “Number portability and number switching mean that the investigator needs to find out if the device was active and billable in the suspect device’s carrier’s network during the specified date range,” says Cook.

“If not, you have to find out where to serve the paper sooner rather than later, while the data is still there, instead of finding out you were wrong two or three months later when the records are gone.” Services like FoneFinder or Neustar will show carriers of record; however, they aren’t always 100% accurate, and investigators should follow up their findings with a phone call to those carriers.

6. Be specific with tower dump requests.

If you have to take that next step into the haystack, provide carriers with a physical location, longitude, latitude of crime scene or other location of interest; then, request a tower dump of all calls, text events and data transmissions from all cell sites and sectors covering that geographic area during a period of time. “Let the carrier’s engineers determine the best sites and sectors, as opposed to an investigator making an incorrect assumption that will only result in the wrong data being obtained,” says Cook.

Questions about cell phone investigations or mapping, or want to get in touch with Jim Cook directly? Let us know in the comments!

*Disclosure: HTCIA is a client, but I was not compensated for this post.